CVE-2012-4386: CSRF protection bypass

September 5, 2012 (updated August 28, 2017)

The token check mechanism in this package does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute.

References

struts.apache.org/docs/s2-010.html

Code Behaviors & Features

Detect and mitigate CVE-2012-4386 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →